Service Overview
Supplier’s Bot Manager Service provides protection to web applications, mobile apps and APIs from automated attacks using bots. The Service makes precise decisions to distinguish between activity of human visitors, activity of legitimate automated software systems (i.e., good bots) and activity of malicious automated software systems (i.e., bad bots) so that mitigation controls can be put in place to limit automated and programmatic web and mobile application malicious access. The Service uses several proprietary techniques, a combination of deterministic and machine learning models, to distinguish and detect automated software systems, including but not limited to intent based deep user behavioral analysis that gather signals across user requests to detect and block malicious bots.
The Service provides the flexibility to configure various bot mitigation options based on the bot generation, bot category, specific page URL and geography. The Service also provides granular analytics and reporting functionality for customers through the Bot Manager Service Portal.
The Service may be deployed either through a customer on-prem integrated agent, virtual appliance or a DNS diversion using cloud service bundle.
Purpose of the Processing
Processing is performed to protect the assets of the Customer that are covered by the Service (the “Protected Assets”) from automated threats caused by malicious actors; all pursuant to and for the limited purpose of performing Radware’s obligations set out in the Principal Agreement (as defined in the DPA).
Processing of Data in Transit
The Service processes traffic (legitimate and malicious) targeted at the Protected Assets through a Radware Bot Manger POP (Radware has about 21 POPs in Google Cloud Platform (GCP) to receive traffic from Radware’s customers). This is setup in such a way that traffic from the customer’s integration point will reach the nearest POP. From the POP, the traffic is sent for more detailed analysis to the Bot Manager backend through a secure channel.
The Service collects HTTP headers and browser information (through JavaScript) to fingerprint the source of the end user device and leverage this information for accurate bot detection process. The Personal Data within such collected information is mentioned under the ‘Categories of Personal Data’ topic.
Data in transit at network level & application level is encrypted using TLS 1.2 (AES 128).
Processing of Data at Rest
The Service does not store any information that can directly identify a natural person.
The Service only stores information on malicious actor activity (including malicious source IP addresses and malicious headers), alongside aggregated non-identifiable statistics about legitimate users.
Data at rest includes encryption at hardware / storage level using AES 256 / AES 128.
Radware’s cloud partner (Google Cloud Platform (GCP)) uses advanced encryption mechanism – Cloud Key Management System Customer-Managed Encryption Keys (CMEK) on Google Kubernetes Engine (GKE) using Cloud Key Management System.
Items of Data at Rest stored by the Service
|
Category
|
Data Description
|
Retention Period
|
|
Personal Data
|
Categories of personal data:
- Data collected during customer onboarding process which includes, first name, last name, business email ID and business phone number (optional);
- IP Address collected from the HTTP Header received from an HTTP request of an end user;
- End User ID, a non-mandatory parameter collected only if the Customer wishes to share this information with Radware. The User ID value is hashed in the API call;
- Server log file: applicable only in cases where the Customer requests a bad bot analyzer report. The bad bot analyzer is a free service offered by Radware that can be leveraged by the Customer either during a sales or presales phase to understand the volume and impact of bots to its business by scanning the data available in the log. The Customer will be able to send its server logs through a secure encrypted channel.
Additionally, with respect to ‘privacy by design’, Radware offers a feature in NginX connector / agent to selectively collect/discard the headers if the Customer believes that the information can potentially be a Personally Identifiable Information.
|
Bot Signature logs – 45 days
- Data collected from our connector (HTTP headers) – 60 days
- Bot Manager Analytics data – 60 days
- Bot IP Feed data (if applicable) – 14 days
For Bad bot Analyzer request: The server log retention period is 7 days.
The maximum data retention period is 60 days.
Data Deletion: data is deleted at the end of the applicable retention period set forth above.
Radware Bot Manager provides facility for the Customer to request to delete the data of selective or collective data subjects directly from the Radware Bot Manager Portal.
|
|
Account Information
|
Data related to the account protected by the service.
Subscription:
- Account name
- Subscription period
- Service plan
- Contact information
- Portal users details
|
Stored as long as the Customer account is active. Deleted once Customer stops using the service.
|
The above data is stored in virtual private cloud (VPC) environments based in the United States or Europe (GCP) depending on the Customer’s choice. Radware has stringent access control for the data set of the Customer’s application. This data is only accessed by the Customer (and whomever the Customer gives permission to, e.g., a service provider), privileged users (for example, security analysis team member in case of any issues reported/proactive analysis) and by the Radware ERT team (for the purpose of providing the managed Service). The Customer may receive alerts of blocked bot attacks or view status via the online Service Portal.
Data Subjects
Individuals about whom data is provided to Radware through or in connection with the Service by (or at the direction of) the Customer or by the Customer’s end-users, which may include any natural person who accesses the Customer’s Protected Assets as well as employees, agents or advisors of the Customer.
Duration of the Processing
The duration of the processing is determined by the Principal Agreement (as defined in the DPA) or until the deletion of all of Customer’s Personal Data in accordance with the DPA and the “Data Retention and Deletion” details set forth in the table above.
Processing Locations
|
Approved Sub- Processor/Affiliate (Company Name)
|
Company
address
|
Approved
scope of work
|
Approved Service Locations
|
Service Location
address
|
|
Google
|
Mountain View, California
|
PoP
|
us-east1
|
Moncks Corner, South Carolina, USA
|
|
Google
|
Mountain View, California
|
PoP
|
us-east4
|
Ashburn, Northern Virginia, USA
|
|
Google
|
Mountain View, California
|
PoP
|
us-west1
|
The Dalles, Oregon, USA
|
|
Google
|
Mountain View, California
|
PoP
|
us-west2
|
Los Angeles, California, USA
|
|
Google
|
Mountain View, California
|
PoP
|
us-west3
|
Salt Lake City, Utah, USA
|
|
Google
|
Mountain View, California
|
PoP
|
us-west4
|
Las Vegas, Nevada, USA
|
|
Google
|
Mountain View, California
|
PoP
|
us-central1
|
Council Bluffs, Iowa, USA
|
|
Google
|
Mountain View, California
|
PoP
|
europe-west4
|
Eemshaven, Netherlands
|
|
Google
|
Mountain View, California
|
PoP
|
europe-west3
|
Frankfurt, Germany
|
|
Google
|
Mountain View, California
|
PoP
|
europe-west2
|
London, England, UK
|
|
Google
|
Mountain View, California
|
PoP
|
europe-west6
|
Zürich, Switzerland
|
|
Google
|
Mountain View, California
|
PoP
|
europe-north1
|
Hamina, Finland
|
|
Google
|
Mountain View, California
|
PoP
|
asia-east1
|
Changhua County, Taiwan
|
|
Google
|
Mountain View, California
|
PoP
|
asia-southeast1
|
Jurong West, Singapore
|
|
Google
|
Mountain View, California
|
PoP
|
asia-south1
|
Mumbai, India
|
|
Google
|
Mountain View, California
|
PoP
|
australia-southeast1
|
Sydney, Australia
|
|
Google
|
Mountain View, California
|
PoP
|
asia-east2
|
Hong Kong
|
|
Google
|
Mountain View, California
|
PoP
|
asia-northeast1
|
Tokyo, Japan
|
|
Google
|
Mountain View, California
|
PoP
|
asia-northeast2
|
Osaka, Japan
|
|
Google
|
Mountain View, California
|
PoP
|
asia-southeast2
|
Jakarta, Indonesia
|
|
Google
|
Mountain View, California
|
PoP
|
northamerica-northeast1
|
Montréal, Québec, Canada
|
|
Google
|
Mountain View, California
|
Backend engine
|
europe-west3
|
Frankfurt, Germany
|
Industry Standard Certificates
Radware’s BOT Manager Service complies with the following standards for cybersecurity and privacy:
· ISO 27001 Information Security Management Systems
· ISO 27032 Security Techniques -- Guidelines for Cybersecurity
· ISO 27017 Information Security for Cloud Services
· ISO 27018 Information Security Protection of Personally identifiable information (PII) in public clouds
· HIPAA Health Insurance Portability and Accountability Act
· PCI-DSS Payment Card Industry Data Security Standard – Service Provider Schedule D
Compliance with these standards is audited annually by third party auditors.
Customers may find Radware’s latest cybersecurity and privacy certifications and attestations in https://www.radware.com/newsroom/certificationsindustry/.
An annual SOC2 type II report is being prepared for Radware’s Cloud Services.